Wednesday, April 1, 2015

GitHub DDOS

We are currently experiencing the largest DDoS (distributed denial of service) attack in github.com's history. The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.

the two GitHub pages are constantly loaded and reloaded by millions of computer users inside and outside of China, an endless loop that left unmitigated outages not just on the two targeted pages but throughout GitHub's entire network. Exhibit A in the case in which China is involved are the two specific GitHub pages targeted: one hosts anti-censorship service GreatFire.org while the other hosts a mirror site of The New York Times' Chinese edition. The targets suggest the attackers are sympathetic to the vast censorship apparatus known as the Great Firewall of China.

One website the user visits loads a javascript from a server in China, for example the Badiu Analytics script that often is used by web admins to track visitor statistics (much like Google Analytics).

The web browser's request for the Baidu javascript is detected by the Chinese passive infrastructure.

A fake response is sent out from within China instead of the actual Baidu Analytics script. This fake response is a malicious javascript that tells the user's browser to continuously reload two specific pages on GitHub.com.

On March 17th 2015, our websites and partner websites came under a DDoS attack. We had never been subjected to an attack of this magnitude before. This attack was unusual in nature as we discovered that the Chinese authorities were steering millions of unsuspecting internet users worldwide to launch the attack. We believe this is a major cyber-security and economic threat for the people of China.

GreatFire.org’s mirroring services provide unrestricted access within China to a range of websites, including itself and the Chinese language version of The New York Times, which has been regularly blocked in China. Some of the others are Deutsche Welle, BBC News, China Digital Times, Google.com, and Boxun, a Chinese-language news website. GreatFire.org says it does not mirror The Wall Street Journal. GreatFire.org works directly with some, but not all, of the websites it mirrors.

GreatFire.org is partly funded by Open Technology Fund, a United States government-financed initiative under Radio Free Asia. Last year it provided $114,000 in funding, according to its website. Mr. Smith declined to comment on any financial backing.

What is happening here is pretty clear now:
A certain device at the border of China’s inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load

Github’s whole site uses HTTPS encryption, so when a Chinese netizen visits content hosted on the site, Chinese censors can only see that the user is visiting github.com, but not the full URL address within GitHub. So China can't selectively block just some content on GitHub without blocking the entire site.

Instead of completely controlling a network node as in a man-in-the-middle attack, the attacker only has regular access to the communication channel, which allows him to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. The attacker relies on a timing advantage to make sure that the response he sends to the request of a victim arrives before the legitimate response.

The attackers have implemented a sneaky mechanism that allows them to manipulate a part of the “legitimate traffic” from inside and outside China to launch and steer Denial of Service attacks against Cloudfront and the Greatfire.org's anti censorship project.

Because the overall internet is too important to block, and because some sites are necessary (like Github) there are always holes in the system. Add in a useful dose of encryption (yay!) and the ability to control everything that's read in one particular country becomes increasingly difficult. You might hope the response would be to give up attempts to censor, but China isn't likely to give up just like that. So, instead, it's basically trying to censor the global internet, by launching a high powered attack on the site that is the problem, while basically saying "get rid of these projects and we'll stop the attack."